non-HTTP(s) URLs now works with start #14370
Conversation
|
Thanks for the ping on this. I totally missed it! So ... I was probably wrong about a simple environment variable being able to do this. Is there anything to prevent malicious code from doing something like: $env.ALLOWED_SCHEMES = "http, https, bad"
start bad://rm -rf /That said, I'm still trying to figure out if this is really a problem. PowerShell doesn't seem to restrict the URL schemes that can be opened. If an application is installed in Windows to handle the scheme, I think I'm just not sure yet. If you did need to restrict it, you would have to set this in Or maybe ask the user for confirmation before launching? Again, I'm not sure any of this is necessary given the behavior of other platforms, but I'd definitely want to hear more opinions on it. |
|
i think that $env.config is a good approach ,but |
|
Is it necessary to control the allowed scheme with |
I don't see any benefit to it, based on my above comment.
That would limit the usefulness a bit. The original Discord discussion was about launching application links. At least Obsidian (from the original discussion) uses the What would be the benefit of disallowing the Spotify form? Side-note: PowerShell's I think the tl;dr here is that application links are just a natural part of all platforms at this point. If the application to handle them is on the system, there's not much we can do at that point, right? |
Yeah that's the point. I think start should open local path or a url, |
However, adding a precautionary check could be worthwhile. This would ensure users are aware when they’re adding schemes to the allowed list. While it’s not a stringent security measure, it could serve as useful bookkeeping.
Apologies for the rick-roll 😅 — never expected anyone to actually try it!
start should support the entire URI scheme, not just URLs,This would make it far more versatile and useful. |
I'm still not convinced. For the following reasons:
|
|
@WindSoilder Are you sure? I just |
|
@NotTheDr01ds TBH I haven't play with |
|
I see that there aren't any examples in the crate doc for this, but:
I think it's fair to say that our Doesn't it make sense to allow our implementation to take advantage of the behavior of those commands without limiting it to URLs? |
|
Rather than a environment variable, would it make sense to have a flag instead? I.e., Also, I think it would be safe to add the One more thing, I don't think it's necessary to have the alerts for unusual schemes. We will already require users to pass a flag or set an environment variable for unusual schemes. |
|
where are we at with this? |
|
Just waiting for response / fixes for my previous comment. |
this looks good. I will add these changes |
Yikes - Please no! IMHO, flags should only be for exceptions to the standard startup. If a user always wants to allow a certain scheme, then they would always have to start with the flag. I run That said, I'm not sure that an environment variable is "safe" here either.
Agreed - If we can figure out how to whitelist safely and conveniently. |
|
Actually, now I'm not sure if we even need the allow list for schemes. If I understand correctly, the application or scheme handler has the majority of the responsibility to ensure that opening a link does not do destructive or modifying actions. Or, if it does, then to prompt the user for confirmation or require some sort of authentication in the URL. I.e., if you have installed an application and have set it as the default handler for a scheme, then you are trusting that application to correctly and securely handle URLs with that scheme from any source. This is why the underlying OS openers (
But I might be wrong on this. @anomius mentioned in the issue that there are some potentially problematic schemes like "control://;rm -rf /. and changing browser settings". I couldn't find any information on this, so I just want to confirm whether these are issues. |
That's pretty much the conclusion I came to. I'm not sure about the PR itself, though - Would we be susceptible to badbatbut if we allowed this? |
|
Yeah, but that can be fixed in a follow up PR (or in this PR). |
|
Thanks for all the input. It seems like the consensus is that maintaining an explicit allow list for URL schemes isn’t really necessary. The OS and registered application handlers already provide a gatekeeping mechanism, and other shells or system commands don’t impose their own restrictions on schemes. Given this, I’m inclined to simplify the PR: We could introduce an optional, user-defined blacklist that resides in their Nushell config. This would let advanced users explicitly prevent certain schemes from being opened if they’re concerned about specific protocols. |
|
Hey, I was away on holiday, but I’ve now pushed the changes. If you could please review and merge them, that would be great. |
| let path_buf = Path::new(&path_no_whitespace).to_path_buf(); | ||
| let full_path = cwd.join(&path_buf); | ||
| // Check if the path exists or if it's a valid file/directory | ||
| if full_path.exists() || path_buf.components().count() == 1 { |
There was a problem hiding this comment.
What is the path_buf.components().count() == 1 for exactly? We already checked if full_path.exists().
| .item | ||
| .trim_end_matches(|x| matches!(x, '\x09'..='\x0d')) | ||
| .to_string(); | ||
| // Load allowed schemes from environment variable |
There was a problem hiding this comment.
| // Load allowed schemes from environment variable |
| .trim_end_matches(|x| matches!(x, '\x09'..='\x0d')) | ||
| .to_string(); |
There was a problem hiding this comment.
| .trim_end_matches(|x| matches!(x, '\x09'..='\x0d')) | |
| .to_string(); | |
| .trim_end_matches(|x| matches!(x, '\x09'..='\x0d')); |
| let cwd = engine_state.cwd(Some(stack))?; | ||
| let path_buf = Path::new(&path_no_whitespace).to_path_buf(); | ||
| let full_path = cwd.join(&path_buf); |
There was a problem hiding this comment.
| let cwd = engine_state.cwd(Some(stack))?; | |
| let path_buf = Path::new(&path_no_whitespace).to_path_buf(); | |
| let full_path = cwd.join(&path_buf); | |
| let cwd = engine_state.cwd(Some(stack))?; | |
| let full_path = cwd.join(path_no_whitespace); |
Refactor path handling in Start command to simplify whitespace trimming and path resolution - Removed unnecessary conversion to `String` after trimming whitespace from the input path. - Streamlined the path resolution process by directly joining the current working directory with the trimmed path. - Enhanced readability and maintainability of the code. This change improves the handling of file paths in the Start command, ensuring that whitespace is properly managed without redundant operations.
Refactor whitespace handling in Start command - Simplified the trimming of whitespace from the input path by removing unnecessary conversions. - Improved path resolution by directly joining the current working directory with the trimmed path. - Enhanced code readability and maintainability. This change ensures better handling of file paths in the Start command.
Refactor whitespace handling and path resolution in Start command - Simplified the trimming of whitespace from the input path by removing unnecessary conversions. - Improved path resolution by directly joining the current working directory with the trimmed path. - Enhanced code readability and maintainability. This change ensures better handling of file paths in the Start command.
If some running code already has the privilege to run system commands and do And if the OS is elevating privileges when/prior to opening a URL, then that's on the OS (either an OS setting needs to be changed, or it's a security bug in the OS). |
Yes, we reached agreement that this was not a concern. So happy to have this landed! |
Description
this PR should close #14315
This PR enhances the start command in Nushell to handle both files and URLs more effectively, including support for custom URL schemes. Previously, the start command only reliably opened HTTP and HTTPS URLs, and custom schemes like Spotify and Obsidian which were not handled earlier.
Added support for opening custom URL schemes, controlled via the ALLOWED_SCHEMES environment variable.
Users can now specify additional allowed schemes, e.g., spotify, obsidian, mailto, etc.
Implemented security checks to prevent opening URLs with disallowed schemes.
By default, only http and https schemes are allowed.
Users receive an informative error if they attempt to open a URL with a disallowed scheme.
Added warnings when opening URLs with schemes other than http and https.
Alerts users to exercise caution when opening links with unusual schemes.
Improved error reporting for failed external commands.
Captures and displays error output from the system to aid in debugging.
Example
Opening a custom URL scheme (e.g., Spotify):
Opens the specified track in the Spotify application.
User-Facing Changes
New Feature: The start command now supports opening URLs with custom schemes specified in the ALLOWED_SCHEMES environment variable.
Security Enhancement: By default, only http and https schemes are allowed to prevent unintended behavior.
Warning Messages: Users receive warnings when opening URLs with unusual schemes to promote caution.
Tests Added:
test_load_allowed_schemes_from_env_with_value checks that the environment variable is correctly read and parsed.
test_load_allowed_schemes_from_env_without_value ensures default schemes are used when the variable is unset.
test_url_allowed_scheme verifies that URLs with allowed schemes are processed.
test_url_disallowed_scheme checks that URLs with disallowed schemes are rejected.